Starting in June 2026, three Microsoft Secure Boot certificates that have protected Windows devices for over a decade will begin to expire. For most organizations, the consequence isn’t immediate—devices will continue to boot, applications will continue to run, and users won’t notice a thing. The risk is quieter than that. Once these certificates expire, the foundational security layer that blocks malicious code from running before Windows even loads stops receiving updates, leaving devices increasingly exposed to the next generation of boot-level threats.
The good news: this is a manageable transition, not a crisis. But it does require action before the deadline.
Why Secure Boot Matters for Endpoint Security
Secure Boot is a UEFI (Unified Extensible Firmware Interface) security feature that verifies the digital signature of every component loaded during the boot process—from firmware drivers to the Windows bootloader itself. If something isn’t signed by a trusted certificate, it doesn’t run. This makes Secure Boot one of the earliest and most effective lines of defense against rootkits, bootkits, and other firmware-level malware that aim to compromise a device before the operating system or any endpoint security tools come online.
For organizations subject to compliance frameworks like CMMC 2.0—particularly those in the Defense Industrial Base—Secure Boot isn’t an optional hardening step. It’s a foundational control.
“Secure Boot blocks malware early in the boot process… but three key certificates expire this year, which could leave devices exposed to new threats.” — Hidra Antar, Senior Consultant at Ravenswood Technology Group
Three Microsoft Secure Boot Certificates Expiring in 2026
Beginning in June 2026, three certificates that anchor Secure Boot trust on Windows devices will reach their expiration dates:
- Microsoft Corporation KEK CA 2011 — Signs updates to the Key Exchange Key (KEK) and Signature Database (DB), which authorize Secure Boot policy updates on the device.
- Microsoft Corporation UEFI CA 2011 — Signs third-party operating systems, hardware driver components, and third-party option ROMs.
- Microsoft Windows Production PCA 2011 — Signs the Windows bootloader and core boot components.
Together, these three certificates form the trust foundation for nearly every Windows device shipped in the past decade.
What Happens If Secure Boot Certificates Expire Without Remediation
If you do nothing, your devices won’t suddenly stop working. They will continue to boot, log in, and operate as normal. The problem develops over time:
- Windows Boot Manager and Secure Boot components will no longer receive security fixes. Microsoft cannot issue trusted updates to devices that still rely on expired root certificates.
- Components signed with newer certificates may not be trusted. As Microsoft transitions to its 2023-issued replacement certificates, anything signed with the new chain will fail validation on devices that haven’t received the updated trust roots.
- Future boot-level vulnerabilities will go unpatched. The BlackLotus UEFI bootkit, discovered in 2023, is a recent example of the kind of threat Secure Boot is designed to stop—and the kind of attack that will become harder to defend against on devices stuck with expired certificates.
For regulated industries, large Windows fleets, and DIB contractors, the compounding risk of unpatched firmware-level vulnerabilities is significant.
How to Update Secure Boot Certificates: Three Remediation Options
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
To receive the updated certificates, you need to deploy a policy that opts your devices in to the Secure Boot certificate update. Microsoft offers three deployment paths depending on how your devices are managed.
Option 1: Microsoft Intune (Recommended for Modern Management)
For cloud-managed environments, Intune is the most streamlined path:
- Create a new Settings Catalog configuration policy.
- Browse by category and select Secure Boot.
- Enable Configure Microsoft Update Managed Opt In.
- Enable Enable Secure Boot Certificate Updates.
- Assign the policy to your target device groups.
Option 2: Group Policy (For Domain-Joined Devices)
For traditional on-premises and domain-joined fleets:
- Open the Group Policy Management Console.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Secure Boot.
- Enable Enable Secure Boot certificate deployment.
- Link the GPO to the appropriate OUs and verify replication.
Option 3: Registry Keys (Advanced/Manual Method)
For one-off devices or scripted deployments outside of MDM/GPO:
- Navigate to HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot.
- Set AvailableUpdates key value to 0x5944.
This method is best reserved for advanced administrators who can validate the change through other monitoring tools.
Important Caveats Before You Deploy
A few common situations can complicate the rollout.
Secure Boot must be enabled to receive updates. Certificates cannot be deployed to devices where Secure Boot is disabled in the UEFI firmware. If you discover devices with Secure Boot turned off, enable it first—and if you enable it after the certificates have already expired, update them immediately to close the gap.
Legacy BIOS devices may require deeper remediation. Devices running in Legacy BIOS mode rather than UEFI cannot use Secure Boot at all. In many cases, these systems also use the older MBR (Master Boot Record) partition style, which must be converted to GPT (GUID Partition Table) before Secure Boot can be enabled. This is a more involved change that affects boot configuration and should be planned carefully for older fleet segments.
How Microsoft Is Helping—and Why You Shouldn't Wait
Microsoft is automatically deploying the updated certificates to devices it classifies as “high-confidence”—typically those it can verify will accept the update without issue. Devices manufactured or shipped after 2023 should already have the updated certificates installed.
That said, waiting passively to be flagged as high-confidence is a risky strategy. Microsoft’s automatic rollout doesn’t cover every device in every environment, and there’s no guarantee your fleet will be fully remediated before the June 2026 deadline. Admins managing devices through Intune can use the built-in status report for Secure Boot certificate updates to track readiness across the fleet and identify devices that need manual intervention.
Building a Secure Boot Transition Strategy for Your Organization
A successful Secure Boot certificate transition isn’t just a technical task—it’s a fleet-wide endpoint hygiene initiative. We recommend the following approach:
- Inventory and assess. Identify every Windows device in scope, including its UEFI/BIOS mode, Secure Boot status, and current certificate state.
- Choose the right remediation path. Map devices to the deployment method that fits their management model—Intune for cloud-managed endpoints, Group Policy for domain-joined devices, and registry-based remediation for edge cases.
- Prioritize high-value targets. Regulated workloads, privileged endpoints, and devices used by administrators should be remediated first.
- Monitor and verify. Use Intune reporting and event logs to confirm successful deployment and catch failures early.
- Connect to broader endpoint hardening. Secure Boot remediation pairs naturally with Privileged Access Workstation deployments, Microsoft Intune modernization, and broader Zero Trust endpoint initiatives.
Partner with Ravenswood for Secure Boot Certificate Updates
The Secure Boot certificate expiration is the kind of foundational security change that’s easy to deprioritize—until a critical vulnerability is announced and devices in your fleet are no longer eligible for the fix. Ravenswood’s consultants help organizations assess their endpoint fleet, design the right remediation strategy, and execute it through Intune, Group Policy, or hybrid management models.
If you’re ready to start planning your transition, our Active Directory Health Check is a great starting point. It provides a holistic look at your identity and endpoint posture, surfacing exactly the kind of gaps—like expiring trust roots and unmanaged endpoints—that can quietly erode your security baseline over time.
Get in touch with Ravenswood to talk through your Secure Boot transition plan with experts you can trust.
